The LuxSci FYI Blog

by Erik Kangas, PhD, CEO

Plenty of Phish in the C-Suite: Protecting Your Executives

Published: May 9th, 2017

Phishing attacks have grown more complex as hackers learn how to defeat security measures and countermeasures, and their targets have become more lucrative in scope and scale: the CEOs, CFOs, CMOs, and other executives collectively making up your company’s C-suite. Personalized hacks that target top executives, known as “spear phishing” or “whaling,” can be incredibly detrimental. Training and awareness are your top tools for strengthening your C-suite’s ability to recognize and defend itself against malicious cyber threats.

The Effects of Spear Phishing

Your company’s reputation is at risk. If a data breach occurs and can be traced back to poor password protection or simple security flaws, your organization will be seen as inherently flawed, arrogant, or technologically stilted. Plenty of examples have been documented over the past decade where companies have been exploited via spear phishing. This has led to the companies losing millions of dollars, and many executives losing the jobs they had held for many years.

Ninety-five percent of all enterprise network attacks are the result of successful spear phishing, and yet, 96% of executives fail to recognize fake emails 100% of the time. The results are alarming. So what can you do to avoid phishing attacks?

Fighting Through Apathy

Though security awareness has grown across the board, some executives may feel that they are exempt from such training; this viewpoint could not be more dangerous to your company’s privacy and digital integrity. It’s precisely because these executives are ensconced in valuable business data that they become targets for spear phishing and other attacks, which threaten to harm the company’s finances, reputation, information resources, and relationships with other businesses.

The C-suite uses the same network resources as the rest of any team and should be properly informed on how to defend themselves.

The Importance of Inclusion

The cost of global cybercrime is estimated to be in the hundreds of billions of dollars, which means that, yes, your business’ executives could become a statistic too. Make sure your C-suite participates in security awareness training sessions and actively discusses the need for investing in cybersecurity. This is not an area a company can afford, quite literally, to ignore.

The executives are at the top of your company’s hierarchy for a reason: They set the examples for the rest of the business to follow. Their attendance, participation, and enthusiasm for security protocols show both how serious the threat is and how seriously the company is taking this threat. Think of it this way: If the CEO appears unconcerned or disinterested in how hacking can disrupt the organization, why would anyone else feel threatened?

Sharpening Their Spears

Crafty hackers utilize social engineering skills and other techniques and gimmicks to lure C-suite executives into a false sense of security. These fiendish actors are also highly trained in educating themselves on the corporate culture of those they plan to attack. In cases of successful spear phishing attacks, the terminology used is professionally crafted, complete with the in-words and jargon most commonly used by executive members.

Hackers can glean valuable information from even the most casual and innocuous of social media profiles, including Facebook, Twitter, and LinkedIn. Make sure your executives are aware of their privacy options on these accounts.

Phish Tanked

FBI reports suggest more than $2 billion have been lost in a specific scam known as the Business Email Compromise (BEC) scam, or CEO fraud scam. It works as an email that purportedly originates from the CEO’s own email account (a relatively common hack known as “spoofing”) that instructs staff to transfer funds to offshore accounts. A variation involves a spoofed email that requests all individual W-2 forms for staff, which then directs the data to the hacker. No fewer than 55 companies were targeted in the past few years.

From October 2003 to February last year, the BEC scam claimed 17,000 victims, and this strategy has targeted highly visible companies and institutions, including Mattel, the US Energy Department, and Austria’s FACC, supplier to Boeing and Airbus. Symantec notes that the manufacturing sector is particularly vulnerable because of its complex chain of suppliers, contractors, and subcontractors. Hackers have also targeted smaller companies with the expressed purpose of gaining access to larger companies with whom they have relationships.

The Healthiness of Skepticism

These hacks are highly organized and occasionally funded or given valuable resources by professional criminals. They can and will exploit the most common weakness in any company’s line of cybersecurity: human emotion. Reports from 2015 suggest users still open 23% of phishing emails and 11% of attachments.

Preach a culture of skepticism within your organization. If an email attempts to extract personal information or financial data, or if it provides a link to a website that wants to know valuable details about your life, assume it is bogus. A follow-up call or email to the supposed sender of a strange-seeming email can save a lot of money, time, and embarrassment. As helpful as they are, you should not rely solely on spam filters.

What to Do

With respect to the C-suite’s valuable time and energy, security awareness programs are a must. Most C-suite executives believe that they are vulnerable, but that information security should not be their concern.

Hackers gain new entry points and new subversive tactics every month, and your company’s security team must stress the significance of staying vigilant. Any programs or meetings should be direct, concise, and straightforward. The language should clearly detail, in steps, what the C-suite can do to protect itself. Avoid overly technical explanations; use language with which the C-suite is familiar.

Furthermore, prevent standard phishing attacks by using a combination of IP reputation lists and bad domain lists to filter out potential entry points for hackers. Consider integrated cloud solutions with secure file sync and share, as well as email protection suites that include real-time URL scanning.

Strategists are designing algorithms every day to scan emails more effectively to reduce spam and spoofs, but in the meantime, the only defense against carefully crafted, individually targeted phishing attempts is to improve the overall judgment and awareness of the C-suite.

How prepared is your C-suite for a spear phishing attack? Let us know your thoughts below.